You might think that the majority of cybersecurity breaches result from carefully planned and executed attacks. You may imagine hackers expertly crafting phishing emails to con employees into giving away access to critical systems, for example, or planting state-of-the-art malware on victims' servers.
The reality – as Zenity co-founder and CTO Michael Bargury explains in his most recent Dark Reading column – is less interesting, and perhaps more worrying. In many cases, attackers "virtually walk into victim organizations using the front door," as he writes, by exploiting flaws in the way low-code/no-code software handles credentials.
In other words, by taking advantage of poor credential management practices within low-code/no-code apps, attackers can easily gain access to any sensitive resources that the apps can access. They don't really have to "hack" anything. They just steal what's wide out in the open.
As Michael details, the root of this challenge lies in the fact that, in many cases, low-code/no-code development platforms allow app creators to embed their own user identities inside their apps. Then, when someone else uses an app, he or she has access to the same resources as the app's creator, whose account is essentially "impersonated."
Low-code/no-code development platforms allow makers to manage credentials in this way because it's convenient. Enabling credential sharing and impersonation is a lot simpler than setting up separate identities and credentials for each application user.
"Credential sharing is just way too easy on many platforms," Bargury notes. "A single checkbox stands between you and sharing your identity – for example, your ServiceNow or Salesforce account – with your entire organization."
Michael adds, "Under certain circumstances, users who gain access to a business application will gain direct access to its underlying database implicitly, without direct consent or knowledge." That's the bad news.
Now for the good news
As Michael also explains, it's possible for businesses to take advantage of the speed and simplicity that low-code/no-code brings to software development, while simultaneously mitigating the risk that their low-code/no-code apps become low-hanging fruit for attackers looking to steal access credentials. For Michael's take on how to square that circle, check out the full post.